JS_BONDAT.GGQW


 ALIASES:

Js.Worm.Vjworm.Dzul (Tencent)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Worm uses the Windows Task Scheduler to add a scheduled task that executes the copies it drops.

  TECHNICAL DETAILS

File Size:

24,443 bytes

File Type:

JS

Memory Resident:

Yes

Initial Samples Received Date:

16 Jan 2018

Installation

This Worm drops the following files:

  • %System%\Tasks\Skype

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It uses the Windows Task Scheduler to add a scheduled task that executes the copies it drops.

Autostart Technique

This Worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
FR2A2Z30F1 = {malware filename}

The scheduled task executes the malware every:

  • 30 minutes

It enables its automatic execution at every system startup by dropping the following copies of itself into the Windows Common Startup folder:

  • %User Startup%\{malware filename}.js

(Note: %User Startup% is the current user's Startup folder, which is usually C:\Documents and Settings\{user}\Start Menu\Programs\Startup on Windows 2000 and XP, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup on Windows Vista, 7, and 8.)

Other System Modifications

This Worm adds the following registry entries:

HKEY_CURRENT_USER
vjw0rm = {TRUE or FALSE}

Propagation

This Worm drops copies of itself in removable drives. These copies use the names of the following items located on the said drives for their file names:

  • Folders
  • Files

It creates shortcut files (.LNK) disguised as folders or files located on the affected drives pointing to the malware copy.

Other Details

This Worm connects to the following URL(s) to check for an Internet connection:

  • http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
  • http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?450e630818915f6b

It connects to the following possibly malicious URL:

  • http://{BLOCKED}lkidsy2hf.{BLOCKED}s.net:1090/Vre